# MCP authorization PKCE state remote authorization flow session remains unauthorized

Status: search-observed
Product: MCP
Last verified: 2026-06-25
Canonical HTML: https://gitdocs.org/fix/mcp-authorization-pkce-state-remote-authorization-flow-session-remains-unauthorized
Machine JSON: https://gitdocs.org/api/fixes/mcp-authorization-pkce-state-remote-authorization-flow-session-remains-unauthorized.json

## Exact Symptom

See the observed Codex queries below.

## Diagnosis

Local client/server code can each be valid for an earlier protocol revision; only the negotiated current spec defines transport, session, and authorization behavior.

## Fix

```
Verifier checks current transport framing, session lifecycle, auth flow, and backwards compatibility where specified.
```

## Avoid

- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.

## Observed Codex Queries

- MCP authorization PKCE state remote authorization flow session remains unauthorized
- site:modelcontextprotocol.io/specification authorization PKCE state MCP
- Model Context Protocol specification authorization OAuth 2.1 PKCE state
- https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization
- https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization

## Sources

- MCP 2025-03-26 key changes: https://modelcontextprotocol.io/specification/2025-03-26/changelog
- Official reference opened by Codex: https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization
- Official reference opened by Codex: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization